enable come connections to bypass vpn

author: Wojciech Kosior <kwojtus@protonmail.com> 2020-06-05 13:13:25 +0200
committer: Wojciech Kosior <kwojtus@protonmail.com> 2020-06-05 13:13:25 +0200
commit: 4fc3015b2dd76c0a9112794bc95e1f926c1c9f0f (patch)
tree: c2064fc1edea14f50e3467fd9d16c788d2febb89 /src/netns-script
parent: 7614d6aade16998b6d76fcc8986b603dfc01218c (diff)
download: 0tdns-4fc3015b2dd76c0a9112794bc95e1f926c1c9f0f.tar.gz
0tdns-4fc3015b2dd76c0a9112794bc95e1f926c1c9f0f.zip
1 files changed, 35 insertions, 4 deletions
diff --git a/src/netns-script b/src/netns-script
index 7c29811..f4380eb 100755
--- a/src/netns-script
+++ b/src/netns-script
@@ -3,9 +3,14 @@
 # adapted from
 # https://unix.stackexchange.com/questions/149293/feed-all-traffic-through-openvpn-for-a-specific-network-namespace-only
 
-# vpn_wrapper.sh creates another script of name helper_script<timestamp>.sh,
-# which gets called by openvpn process, exports NAMESPACE_NAME and WRAPPER_PID
-# variables and then runs this script
+# vpn_wrapper.sh passes the following variables through openvpn's
+# --setenv option:
+#    NAMESPACE_NAME
+#    WRAPPER_PID
+#    VETH_HOST0
+#    VETH_HOST1
+#    ROUTE_THROUGH_VETH
+#    PHYSICAL_IP
 
 case $script_type in
     up)
@@ -19,19 +24,45 @@ case $script_type in
                         ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \
                                 "$ifconfig_ipv6_local"/112
                 fi
+
+		# the following is done to enable some connections to bypass vpn
+		VETH0=v0tdns${WRAPPER_PID}_0
+		VETH1=v0tdns${WRAPPER_PID}_1
+		ip link add $VETH0 type veth peer name $VETH1
+		ip link set $VETH1 netns $NAMESPACE_NAME
+		ip addr add $VETH_HOST0/30 dev $VETH0
+		ip netns exec $NAMESPACE_NAME ip addr add $VETH_HOST1/30 dev $VETH1
+		ip link set $VETH0 up
+		ip netns exec $NAMESPACE_NAME ip link set $VETH1 up
                 ;;
         route-up)
-                ip netns exec $NAMESPACE_NAME ip route add default via "$ifconfig_remote"
+	        # TODO change to only forward from necessary interfaces
+	        echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
 		
+	        ip netns exec $NAMESPACE_NAME ip route add default via "$ifconfig_remote"
+	    
                 if [ -n "$ifconfig_ipv6_remote" ]; then
                         ip netns exec $NAMESPACE_NAME ip route add default via \
                                 "$ifconfig_ipv6_remote"
                 fi
 
+		# here go routes for bypassing vpn
+		for ADDRESS in $ROUTE_THROUGH_VETH; do
+		    ip netns exec $NAMESPACE_NAME ip route add $ADDRESS via $VETH_HOST0
+		    iptables -t nat -A POSTROUTING -s $VETH_HOST1/32 \
+			     -j SNAT --to-source $PHYSICAL_IP
+		done
+
+		
 		# notify our sh process, that openvpn finished initializing
 		kill -usr1 $WRAPPER_PID
                 ;;
         down)
+	        for ADDRESS in $ROUTE_THROUGH_VETH; do
+		    iptables -t nat -D POSTROUTING -s $VETH_HOST1/32 \
+			     -j SNAT --to-source $PHYSICAL_IP
+		done
+
                 ip netns delete $NAMESPACE_NAME
                 ;;
 esac
author	Wojciech Kosior <kwojtus@protonmail.com>	2020-06-05 13:13:25 +0200
committer	Wojciech Kosior <kwojtus@protonmail.com>	2020-06-05 13:13:25 +0200
commit	4fc3015b2dd76c0a9112794bc95e1f926c1c9f0f (patch)
tree	c2064fc1edea14f50e3467fd9d16c788d2febb89 /src/netns-script
parent	7614d6aade16998b6d76fcc8986b603dfc01218c (diff)
download	0tdns-4fc3015b2dd76c0a9112794bc95e1f926c1c9f0f.tar.gz 0tdns-4fc3015b2dd76c0a9112794bc95e1f926c1c9f0f.zip